<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><a id="OWAAM7E5C1BBD38FD4301A364D7B652079614" href="mailto:rsleevi@chromium.org"><span style="font-family:"Calibri",sans-serif;text-decoration:none">@Ryan Sleevi</span></a> will this position by Google Chrome to considered such certificates
to be mis-issued be applicable for certs issued by Private (Managed/Enterprise) CAs as well? I do understand that this forum is for public CAs but if Chrome is enforcing this in its browser, then like CT, it won’t work for Private CAs. Since there is a setting
provided by Chrome for CT for private CAs, will there eventually be the same capability for this scenario for private CAs? Thanks, Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Servercert-wg <servercert-wg-bounces@cabforum.org>
<b>On Behalf Of </b>Corey Bonnell via Servercert-wg<br>
<b>Sent:</b> Friday, August 6, 2021 5:45 AM<br>
<b>To:</b> CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br>
<b>Subject:</b> [EXTERNAL] [Servercert-wg] SC48 and case sensitivity of CN and SAN value encoding<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal">A question on the GitHub PR for SC48 [1] pointed out that the language surrounding acceptable encoding of CN values is not clear whether case mismatches of the SAN dNSName and CN value are allowed. The conclusion of that discussion is that
at least one Root Program will view such case mismatches as mis-issuance. It appears that there may be several CAs impacted by this, so I wanted to alert the group in case this is unexpected for those CAs.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Corey<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[1] <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fpull%2F285%23discussion_r683444000&data=04%7C01%7CMike.reilly%40microsoft.com%7C8d9598cdff7a47b6241a08d958d8122f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637638507321117907%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2UJb%2F00k66QOp%2B83EKvf%2FqZ5TtP1gFy6HHPAy6W9LE0%3D&reserved=0">
https://github.com/cabforum/servercert/pull/285#discussion_r683444000</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>